Sunday, February 22, 2009

Alvis and Lavie are watching the Oscars tonight and I’m along for the ride.

I wasn’t able to come even close to getting out some of the posting I wanted. Nothing like a short weekend, a bit of weed-pulling in the yard, and the regular mix of loving on the girls to wear a weekend out.

Couple that with my curiosity and dogged determination to note a few problems for research, then spend a few more hours or two researching those things. Next thing I know I’ve quadrupled the number of links…and post topics....I was planning to work on.

Here are some miscellaneous links I’ve collected this past week.

The nominees this week are…

U3 Removal Tool – The link to remove this enhanced feature from some USB drives has been changed. This is the new one. I always keep this handy and remove U3 from our family USB drives if purchased so equipped.

<--InGuardians --> Defensive Intelligence – Great collection of some good cheat-sheets on Windows Command Line Tools, Super Netcat Cheat Sheet , and Useful Attack Tools. While you are there picking up those PDF’s, take a look around and consider some other pen-testing papers while you are at it.

Sunbelt Blog: New Sunbelt research site – Alex Eckelberry and his team have been hard at work developing a useful portal for researchers of virus/malware related items over at (beta page link).sunbeltsecurity.com. Research information on current threats, submit a wild threat, submit a false-positive report (for Sunbelt products), upload a suspicious file to their automated sandbox server to see what the system might do on a live system, and much more. Certainly a site worth bookmarking.

Highlighter v1.0.1 Released – Mandiant M-unition Blog – Miscellaneous fixes and performance gain for Highlighter, a great and cool-featured log-file parser and text file viewer. They also gave notice they are working towards large file (1GB+) log-file support. Neat.

MindSniffer, Updated Audit Viewer released – Mandiant M-unition Blog – MindSniffer is “…a tool that will allow the user to translate snort signatures to either XML jobs or python plugins that can be used to identify processes containing strings that match snort signatures.” While Audit Viewer got a large number of strong modifications and feature enhancements including the ability to launch Memorize another free and useful memory image capture tool for system investigators. “Audit Viewer is an open source tool that allows users to examine the results of Memoryze’s analysis. Audit Viewer allows the incident responder or forensic analyst to quickly view complex XML output in an easily readable format.”

And the award for the most cool tools in single post this week goes to….

Looking for "Bad Stuff", part I – Last but not least, Windows forensic expert Harlan Carvey has a great post full of all kinds of awesome links (including a GSD post) for getting starting on looking for baddies on a captured system. I’ve been heavy on imaging these past weeks so this particular section was very interesting reading!

Mounting The ImageOne of the first things we can do to make our analysis somewhat more efficient is to gather some tools. As such, we'd like to mount our image as a read-only file system...to do so, we can look to commercial apps such as ASRData's SmartMount, or you can use freeware tools such as ImDisk or VDKWin. The VDK executable will let you get the partition table information from within the acquired image, as will the GUI-based Partition Find and Mount (discussed at the SANS Forensic Blog)...however, Partition Find and Mount does not appear to have the ability to mount a partition read-only; it will reportedly allow you to mount a potentially corrupted partition, so this may be an option...in order to recover data for analysis, mount the partition, and then acquire an image of it.

Harlan then goes on to targeting the value of Log files, Event logs, Registry analysis, and some very specialized malware hunting and busting tools well worth remembering and becoming familiar with such as missidentify, sigcheck, LADS (see also Nir Sofer’s tool ), and YARA and Scout Sniper.

Long story short, a business system crashed, some system recovery was applied, and the result was that critical files disappeared. Dwight was brought in to help try to get them back and asked for advice from his blog followers.

Stop, Drop, and Roll

When you encounter the situation where your data is gone, here are some immediate steps to help mitigate the disaster:

Shut down the system immediately. Don’t try to do a “System Restore”. Don’t try to replace a year’s worth of data by putting the contents of the Recycle Bin back on the system. Shut it down immediately. If it is mission-critical just kill the power and skip the graceful power-off steps.

Don’t try to do anything else at the moment. The more you fiddle, repair, and “fix” the system trying to get the files back in your panic and stress, the greater likely-hood of overwriting the data on your drive. It’s also easier to make silly mistakes when you are stressed.

Walk away, take a deep breath and develop a strategy for your recovery attack.

Unless your drive hardware cratered or a secure-deletion/wipe occurred, there is a very good chance the data is still sitting there. The trick will be to access it again.

I personally recommend pulling the drive out of the system and either placing it as a “slave” drive in another system or into a USB drive enclosure to access. This increases the chance you will avoid rebooting the system accidentally.

If it is mission-critical data you are trying to resuscitate, get an image-capture of the drive before doing anything else. No file-based imaging will do; you must do a sector-based image capture so we can get every bit of data that the original has, including those that are no longer recorded in the file allocation table. Ghost and Linux’s “dd” methods are good examples. Clonezilla, ImageX, DriveImage XML are not.

Some imaging solutions will allow you to mount the image so you can work with your copy rather than the actual drive. That brings more options to the table.

Forensic experts use both write-back blockers with the physical drive as well as software that is configured to read only, all to avoid compromise of the original drive. They do this to preserve the integrity of the original contents which is something we should keep in mind as well.

Plan for where you will put the files if you recover them. Have another USB drive or storage device handy to move the (hopefully) recovered files to. Writing the recovered files back to the same drive risks corrupting the files and data with overwriting.

For even more tips and guidance, check out the following guide from Easeus:

In most of my situations, I am using Windows as my recovery environment. Either via Win PE boot disk or with Windows XP/Vista as the host and the target drive as a slave or mounted image. Thus most all the tools I’m mentioning are Windows-based. That is the sea I swim in at home and work so I have to be prepared to support it.

Many of these are “portable” meaning they can run from a LiveCD or USB device. Particularly flexible if you are using a Win PE based boot disk. Check the licensing as some may be free for personal use but may not be free for business use.

PC Inspector File Recovery – This remains my primary tool for file recovery. The interface is a bit wonky but it seems to get the job done really well. Scans can take a long time to process an entire disk, but it has been very successful in the attempts I have needed it for.

Recuva - Undelete, Unerase, File Recovery – This is my second “go-to” file recovery tool. It is very easy to use and has a non-technical interface. As an added bonus there is a previewer window to view images on pre-recovered files (graphic files) as well as file properties and information. The fast scan rarely provides many finds, but the in-depth scan can recover loads of stuff…if you are patient! It also has a filter tool to narrow down the results in various file formats or you can enter your own wildcard criteria if you are looking for a particularly named file. See this Using Recuva tutorial for more.

PhotoRec – CGSecurity – Although geared primarily to recovering graphics-related files that have been deleted, it can handle other files as well. The GUI is command-text based, so nothing sexy here, but you don’t have to look sexy to be good! As an added benefit it runs on a variety of OS. PhotoRec Step By Step is a great tutorial.

TestDisk – CGSecurity – Same folks as PhotoRec but this tool is focused primarily at getting back systems partitions that have been damaged or destroyed. Besides the MBR and partition recovery work, it also can recover deleted files and/or copy them to another drive.

DiskDigger – Dmitry Brant – Had to update this post to add this new release in. Portable and does not require an install. Also has a preview feature so you can see what it is you are about to recover, and how much of the data from the file is present. Nice GUI, easy to use, does sector-based scanning for the file-search, and filtering of scans for particular file types common to most home-user and office systems. Spotted tonight via Lifehacker.

Roadkil.’s Undelete – No bells or whistles. Just a simple and direct deleted file-recovery application.

DataRecovery – A step up on the simplicity scale. Unpack and run. No install needed. Fast and deep scans available. Sort and filter results. Also allows you to secure-wipe deleted files for never-again-recovery. GUI interface is simple for beginners.

ADRC Data Recovery Tools - A full package of advanced data recovery tools. Not only can you recover deleted files, but you can also create a disk image for backup and restore it to another drive, you can copy files from drives with bad sectors, do a disk clone, backup/edit/restore your boot parameters and much more! The website is off line sometimes so you might want to try this alternative download location: The Portable Freeware Collection - ADRC Data Recovery Tools

SoftPerfect File Recovery – Very simple to use interface and not many items. Great if you have to suggest just such a program tell your extended family member to try without your supervision but it’s a non-critical file (say grandma’s cookie recipe that is written down elsewhere in the house)

Recover Files – Heavy duty tool that is hard to believe is free. This has a lot of options for filtering results, looking for specific sizes or dates, and hiding of overwritten or temporary system files. The interface is nice as well. Because it is able to display results in the original folder structure, it makes it easier to navigate in your search for a particular deleted file(s).

Pandora File Recovery – offered in both a free “installable” version as well as a portable version shipping on USB drive for purchase. Many of the same features as others, but with some other bells and whistles like estimating the success of recovery, previewing certain files and properties before recovery, etc.

Restoration 3.2.13 – No install needed. Download, unpack, and run. Very simple interface and not many options. If tiny is what you want, this is a good option.

NTFS Undelete – High marks for two different reasons. First it has a nice clean and clear interface that doesn’t require much work to get started. Second, they provide a ISO-download to instantly create your own boot disk with the application on it already. Very nice for folks who aren’t into rescue-disk building. Oh yeah, did I mention it was open-source?

FileExtractor – Another open-source tool for recovering deleted files. While the interface is a bit GUI-simple, a big plus for the non-technical folks is that it is wizard-based. So once you get the program running it will hold your hand and guide you through the recovery stages.

SystemRescueCd – Linux LiveCD that allows off-line booting of a system. Comes with great partition recovery and management tools along with some file recovery tools previously mentioned above. A solid solution. For more details see Quick start guide.

Windows FE – (GSD Blog post) - You have to build and pack it up yourself, but the benefit of Win FE is that it is set to prevent write-back to any local drives it finds. Keeps you from overwriting the drive by accident.

Win PE -- (GSD Blog post collection) – Windows PE is a built-it-yourself LiveCD environment that has a big plus of being able to run most “portable” Windows applications. So if you have a favorite Windows supported file-recovery program and it is portable, it just might run great off this boot-environment in an OS you are comfortable in.

VistaPE (project page) and Custom Win PE Boot Disk Building (GSD Blog post) – Build a Vista-based Win PE 2.0 boot disk with lots of awesome tools and utilities. I love this project and have done a lot of work in it. If other Linux LiveCD projects didn’t have so many awesome tools and utilities, I would probably use it exclusively.

Ultimate Boot CD – An awesome pre-packaged collection of tools and utilities (mostly simple-GUI only) on a bootable CD. Simply a must-carry in every sysadmin and troubleshooting responder’s toolkit. Packs a number of file-recovery tools on the disk.

In Dwight’s case he was very lucky and was able to use Recuva despite all the previous work and remediation done on the system before he got there.

They broke most of the “rules” but still made off like bandits.

Which gives hopes to everyone else that if he can do it, even in those circumstance, mere mortals might also stand a chance to get grandma’s cookie recipe back from the brink of deleted disaster.

Pick out one or two or three, with slightly different items to provide you a number of options, then practice and get comfortable and experienced in using them.

And consider this; if these free tools can help mere mortals, imagine what a trained and experienced forensic examiner can do with the right tools, skills, and proper acquisition and recovery procedure! It makes my heart warm with envy.

If you want it really gone, then you need to do a secure wipe of either the entire disk or at least the “free-space”…but that’s another post.

The primary item I was looking for, a solid freeware prescription manager, was still never found. I had found and offered Lavie some alternatives, but none really captured her imagination.

So the other day she asked me if I could help her take another look for some.

Apparently, the intervening years have been very good.

Not only did I find one; I found three—all free!

JCMatt software -- My Medications List Lite – (freeware) - Down and dirty simple. Enter the name of the medication, the dosage, any instructions, quantity, next refill date, and any notes. Nice plain interface. You can print out the items, and view the embedded calendar. Items listed have their “refill date” turn red when they reach less than seven days until the refill comes due. This can remind you to call in your prescription renewal early.

JCMatt software -- My Medications List - (freeware) – Same concept but on steroids. Track name, dosage, type (tablet, capsule, etc.), quantity, pills/day, dosing instructions, cost, condition, Rx Number, last refill date, last renewal date, and a notes field. View a running total of the medication (each/all) monthly, quarterly, yearly. Not only can you print them, but you can also email or fax them (integrates with your default services) to your pharmacy and/or doctor with pre-formatted fields.

There is no calendar like the “lite” version, but the info bar above the list will show green if you are on an item in good standing, but will display boldly-red if the prescription has less than seven days to go before renewal.

There is also a “web-lookup” button. Select a particular medication entry, and then click the “lookup” button. Your default web browser will go to the online medication research site Drugs.com so you can get additional information on the item.

Imagine printing all this information on your prescription history before you go to your doctor visits! No more guessing or relying on memory.

Both the “full” and “lite” versions are supported on MS Windows 95/98/Me/NT4/2000/XP/Vista.

The only drawbacks I have found so far is that they are not “portable” out of the box. They require an installation on the host system. I didn’t notice any ads or other “junk” that accompanied the installation so they appear clean and “system friendly”. Super nice! I do wish that they integrated their prescription renewal dates in a embedded calendar…which the full version seems to lack.

While you can’t track all the family member’s prescriptions in a single database, you can create a file for each person and track that way.

Lavie likes the “full” version of JCMatt software’s “My Medications List” as it has the level of detail and item-management that she demands.

I’m sure that short of making your own up in a spreadsheet or database, one of these will be found sufficient to meet your home and family prescription tracking needs.

Making them Portable

Alas, it isn’t always so easy to unpack the setup file or just copy the program folder to another location and uninstall the application. These seem to use some slightly uncommon installers and need some helper files that get installed outside the program folder.

My Medications List Lite

Download and unzip the file. Run the setup program.

Once installed find the program folder under the “C:\Program Files\My Medications List Lite” and copy this folder to another location.

Then search and find the following files that were either added to the “C:\Windows\system32” folder or were attempted to be added there:

"C:\Windows\System32\hh.exe"

"C:\Windows\System32\itircl.dll”

"C:\Windows\System32\itss.dll"

"C:\Windows\System32\hhctrl.ocx"

"C:\Windows\System32\MSFLXGRD.OCX"

Copy them into the copied “My Medications List Lite” folder as well.

The following files were already present on my Vista system before the install but I copied them into the copied folder anyway.

"C:\WINDOWS\SYSTEM32\VB6STKIT.DLL"

"C:\WINDOWS\SYSTEM32\COMCAT.DLL"

"C:\WINDOWS\SYSTEM32\STDOLE2.TLB"

"C:\WINDOWS\SYSTEM32\ASYCFILT.DLL

"C:\WINDOWS\SYSTEM32\OLEPRO32.DLL"

"C:\WINDOWS\SYSTEM32\OLEAUT32.DLL"

"C:\WINDOWS\SYSTEM32\msvbvm60.dll"

Now uninstall “My Medications List Lite” using the Add/Remove programs under the Control Panel.

Finally browse back to the copied folder and launch “My Medications List Lite.exe”.

Works fine on Vista. Should work well on XP as well. Total program folder size = 3.36 MB. It would be a lot smaller if I hadn’t bother copying that second set of pre-existing applications in there.

My Medications List

Download and unzip the file. Run the setup program.

Once installed find the program folder under the “C:\Program Files\My Medications List” and copy this folder to another location.

Then search and find the following files that were either added to the “C:\Windows\system32” folder or were attempted to be added there:

"C:\Windows\system32\MSWINSCK.OCX"

"C:\Windows\system32\Splitter.ocx"

Copy them into the copied “My Medications List” folder as well.

Now uninstall “My Medications List” using the removal icon under the Program list .

Finally browse back to the copied folder and launch “My Medications List.exe”.

Works fine on Vista. Should work well on XP as well. Total program folder size = 1.08MB.

Medrex Free

Install the application. Once installed, find the program folder under the C:\Program Files\Medrex and copy this folder to another location. Then search and find the following files that were added to the C:\Windows\system32 folder:

"C:\Windows\system32\EPSFLA.OCX"

"C:\Windows\system32\IGThreed40.ocx"

"C:\Windows\system32\vbskpro2.ocx"

"C:\Windows\system32\mscal.ocx"

Copy them into the copied Medrex folder as well.

Now uninstall Medrex using the included uninstaller icon.

Finally browse back to the copied folder and launch meds.exe.

Works fine on Vista. Should work well on XP as well. Total program folder size = 1.19 MB

Note, based on my install monitoring, there is a bunch of registry key creation and file registration activity. Following the steps above seem to let the applications work well, but some features or elements might be “broken” in the process.

Don’t come crying to me if something happens unexpectedly.

I prefer “portable” applications so I can tote them around on USB sticks and such. However your mileage may vary.

Like I said earlier, these seem to install cleanly with no adds or other nuisances, so a full install on your system seems like a small price to pay for these great freeware prescription managers.

I prefer using Microsoft’s ImageX tool. Clonezilla is also used as an alternative imaging method. I find it useful to give our techs multiple methods to image a system. This allows flexibility if hardware issues make one method less reliable or problematic (usually due to available system RAM).

Both are “file based” imaging tools rather than “sector based” tool. Therefore they aren’t useful for forensic drive imaging, but that’s another post.

Not sure if this is up anyone’s alley, but I do look with interest in any tool that allows modification of anti-virus/anti-malware settings both from a tweaking and possible manipulation-attack vector.

I had picked up some Jockey Mock Neck (Hi-neck) T Shirts after a long search for just such a product. Head over there if you are interested in reading a long and detailed review of them.

Very short review:

love ‘em

long tails

tag-less (except for the tiny hamster-tail tab at the back bottom tail)

minimal horizontal shrinkage

acceptable vertical shrinkage due to starting length.

100% cotton (black or white colors available) with nice weight.

Nice high-neck collar…may be prone to light piling due to short beards.

They provide a crisp, professional look under uniforms and polo shirts, and will probably reduce “ring-around-the-collar” stains for button-downs.

TUG’s blog is a great source of all kinds of men’s undershirt reviews and linkage. So if you are a bit OCD regarding the fit, style, and performance of your undershirts, you might want to stop in and have a look around.

In summary, enterprise had deployed some Dell dual-core supported systems and then we later discovered that incorrect hall.dll and multi-core kernel files were included in the image, rendering the dual-barrel cpu’s single shooters.

In the post I outlined a method we ended up deploying to fix them “on the fly” in the field instead of having to reimage them with a corrected image build.

So many, many systems successfully fixed later I started getting calls saying weirdness was raising its head again.

Strike One

A field tech gave me a call after trying the fix and reported the following error after applying our fix:

He had followed the steps, replaced the single-core hal.dll and ntoskrnl.exe files with the multi-core versions particular to our system, and rebooted.

And was presented with the following error on a baby-blue Windows screen:

"autochk not found - skipping autocheck"

Rebooting the system repeated the error and neither system-restore or last good known configuration helped. Even after he copied the original files back (renamed .old in our process), the error would not go away.

We used a WinPE boot disk and verified that the autochk file was still present and accounted for in the C:\Windows\system32 folder.

Puzzled, we took down the notes, recovered the user data to a USB drive, and reimaged the system to get it going again with the fixed dual-core system image.

Strike Two

A few weeks later Mr. No (one of our senior network watchers) was in the field and was leading a project to update re-deployed systems. As such he was also checking for and updating the core files on some systems he discovered were not correctly applied

And he ended up with the same error.

Now my whole attention was on this. I could understand if a field tech made a mistake in the dual-core enablement process, but Mr. No? Not likely.

After a considerable amount of troubleshooting assistance over the phone, we again collected our notes and Mr. No bailed and reimaged the system, again after recovering the user’s data.

Why after a long run of success with this technique were both field techs and senior staff finding the process no longer working?

It’s Outta da Park!

Then I figured it out…while taking my morning shower last week…go figure.

It was simple.

When I got to the office I asked Mr. No what Service Pack level the system was at. He didn’t know because he hadn’t checked. Yep. Suspected as such.

So I fired up my image building system, XP Pro with SP3 and applied the dual-core fix to it, rebooted, and…

"autochk not found - skipping autocheck"

replicated exactly, the error message the team was seeing.

What I realized is that it was very likely (later confirmed) that the staff were first applying XP SP3 to the systems they were checking (yes, yes, enterprise still hasn’t pushed out SP3 to our systems yet…we are having to do the updates ourselves at this point…I know, but not my department….) before applying the dual-core fix.

When the autochk process ran at boot it knew that these system files were incorrect versions, thus borking the fix and boot.

So I extracted the XP SP3 file versions and issued updated instructions that everyone now has to check to see what SP version the XP system is running, then apply the correct multi-core files to the system.

As the files are captured on our systems:

XP Pro SP2

hal.dll & halmacpi.dll – file version 5.1.2600.2705

ntoskrnl.exe & ntkrnlmp.exe – file version 5.1.2600.3093

XP Pro SP3

hal.dll & halmacpi.dll – file version 5.1.2600.5512

ntoskrnl.exe & ntkrnlmp.exe – file version 5.1.2600.5657

Repeated tests on the imaging systems demonstrated this fixed that problem and would restore dual-core functionality to the appropriate systems.

So the lesson is this, if you have corrupted or incorrect core Windows systems files, be very, very sure if you seek to replace them with ones from another system or Windows setup disk, that you use ones from a similar Service Pack level. At the very least, check the file properties if possible and note the version number.

chml: a tool to control Windows Integrity Levels – Mark Minasi has also recently released a new version of CHML tool. This allows admins to look at a file’s Windows Integrity Level as well as make deeper modifications to it than are available from Microsoft’s own tool provides.

"Fix it" – The Next Evolution of KB Articles and WER - Ask the Performance Team blog. Microsoft is now making available “quick-fixes” via KB tips. These allow users to download a special software fix package and run it to apply the hot-fix or suggestion instead of having to decode and follow technical steps. It’s a nice move, provided that the users still are applying the correct fix in the first place.

Fix it for me blog – Microsoft blog by the Fix-it team that outlines their purpose and which KB’s have been updated with the “Fix-it” software download fixes.

Using RegRipper for malware detection – Windows Incident Response blog – Harlan really shows the benefits for sysadmins in being familiar with some forensic tools and techniques. Being familiar with registry research can help pin down malware detection and infection studies.

The Trojan solved it! Catching a fraudster with another criminal, ‘myspacce.exe’ - SANS Computer Forensics, Investigation, and Response blog. A really great study-read on how a malware infection gave away the subject of a forensics investigation. Again, the focus here is picking up tips for system admins on malware knowledge and user activity. Also valuable in showing how alternative data streams of NTFS can be used in research as well as looking in the System Restore points for timing of activity.

More tricks from Conficker and VM detection – SANS ISC Handler’s Diary blog – This time the focus is on how malware can use changes to the Access Control Lists (ACL/Windows File Permissions) settings on a particular registry key to prevent everyone (including Administrators) from removing the key. It also checks to see if it is running on a virtual machine. All indications is that this is a pretty sophisticated and well written nasty.

Best defense against malware: Smarter users – Chron.com TechBlog – local Houston reminder why a/v software itself might not be the end-all solution. Slow DAT file updates look like it bit the H-town city government in the rear.

Win32/Srizbi - Microsoft Malware Protection Center blog – Brief writeup of trojan dropper/rootkit that is targeted by the MSRT tool. Some technical information on where to look for it in the file system and registry as well as how it works. Good stuff.

IE8 Security Part VIII: SmartScreen Filter Release Candidate Update – IEBlog team details some improvements in the way their product will alert users to unsafe web-pages. Nice design work and is similar to what Firefox 3.x is using for end-user notifications as well. i hope we can deploy this at our workplace environment not long after it is released and tested on our internal web-site pages.

Exploit Shield 0.60 Beta - F-Secure Weblog – New version, now Vista compatible (32-bit at least) of a tool to provide various heuristics-based security protection. Haven’t personally tried it out yet, but likely will be tossing it on a virtual machine system in the near future.

Saturday, February 14, 2009

As long as I have been acquainting myself with both Window PE building and forensics LiveCD’s I keep stumbling over references to something known as Windows FE (aka. Win FE and WinFE) .

Now, I’m sure if I was a professional forensics investigator I would already have realms of info with this tool.

I’m not and I don’t so I will only speak to what I have discovered so any other curious Win PE builders who come across this reference will have some more detailed information.

Windows FE

From all indications, Windows FE (forensic environment) is a Windows PE based custom build that is offered by Microsoft to forensic examiners and law enforcement officers. It is not publically available.

The official information regarding it seems to suggest that it (and supporting tools) can be obtained from Microsoft only through their “LE Portal”

It provides a Windows PE LiveCD boot environment that allows Windows software to run, along with specific command-line tools that will assist and benefit the forensic examiner.

From all I have read, one of the “special” features is the ability to safely mount media to receive the captured image from a system as well as safe mounting of the host disk to prevent write-back that could harm the integrity of the recovered disk as evidence.

After much work, I finally was able to dig out a link that seems to describe exactly how the Windows FE base disk is built.

You might want to download it now just in case it is removed in the future.

That Word doc file is very interesting (to Win PE builders like me) and specifically outlines what makes WinFE (or Win FE) so special: it’s a registry mod (two actually) that prevents modification of any of the media on the booted system.

5. In regedit, go to the HKEY_LOCAL_MACHINE\winfesystem\ControlSet001\Services\MountMgr key, and if the NoAutoMount dword does not exist, create a dword named "NoAutoMount" with a setting of 1. If the key already exists, change the setting to 1 if it is any other value.

6. Next, go to HKEY_LOCAL_MACHINE\winfesystem\ControlSet001\Services\partmgr\Parameters and change the SanPolicy setting to 3. (If the Parameters key does not exist, create it.) At this point, the registry in the mounted .wim file is set to boot and operate without mounting volumes or modifying media.

The rest of the document pretty much is just standard Win PE building stuff you have already read here at GSD blog or other sources.

Last updated September 2008, it contains a collection of tools for Windows-based forensics work.

I haven’t picked through them, but according to the “what’s included” there are at least nine modules that might be worth looking into for forensics students as well as sysadmins (like me) who seek to leverage the tools and techniques of the forensics pros for dealing with system issues, imaging, and malware incidence response events.

I swear I also saw on another forensics-blog and had previously bookmarked/blogged a reference to a third-party sponsored Win FE inspired package that might even have been USB based. However I have been unsuccessful at re-locating it.

However, while hunting this info down, I found a great forensics blog from the UK that made multiple “live-fire” references to using Win FE: Forensics from the sausage factory

I know Win FE is being used and touted in the forensics community. It showed up as a topic at the PFIC 2008 conference. Troy Larson is (still ?) a senior forensics investigator in Microsoft’s IT Security group. I’m sure he’s a cool and knowledgeable guy and his association with Microsoft makes perfect sense from the Win PE foundation angle.

My educated guess is that the “troyla” noted in the Word document I found and Troy Larson are one and the same. Cool!

I only wish he would release more gems on Win FE as they might be great for us Win PE builders. I understand the need to keep most of it under wraps for the “LE” (law enforcement) professionals but I bet there is some good stuff in there for system administrators who use Win PE builds in their daily applications.

I also suspect Windows 7 and the enhanced Win PE 3.0 environment will only bring more power and flexibility to this Win FE technique.

New Forensic Blog Finds

And here are some more interesting forensics-related blogs I found (or re-discovered) in the search-process:

They have some various news about the new product they will be soon offering.

BTW – Helix3 isn’t a version. The “3” references the three “modes” of Helix: Incident Response, Electronic Discovery, and Forensics. The last “free” version appears to be (2008R1) by my accounting. According to e-fense, the latest current version (for subscribers) is Helix3 2009R1.

I’ve got no beef with this decision. They’ve done considerable work getting this thing going and out the door for so long. Best wishes for them to earn some green from their efforts.

In addition to offering training sessions and various security-related services, they will also be bringing out three new/improved products:

Fortunately, the void left by Helix3 doesn’t seem to be open for long.

There are some new and improved offerings of LiveCD based forensic tools in the pipes.

Replacing Helix – SecuraBit – The SecuraBit team is working with the SUMO Linux (5 builds in one: Backtrack 3, Helix 2.0, Samurai Linux, DBAN, DVL) developer to make a replacement for Helix that combines the very best of all the free forensics tools out there. Can’t wait to see what this one will deliver!

Helix3 (free) – The last free version of Helix. Now fully requires contact info for direct-download of distro file.

SUMO Linux – mentioned before, this LiveDVD made by Marcus J. Carey and Sun Tzu Data packages four security and forensics related distributions into a single disk.

DEFT Linux – Until SecuraBit’s distro comes out, this is where my money is being placed at the moment. Right now the DEFT team has released version 4 of their Xubuntu based LiveCD for forensics work. There is a version 4.1 beta there, as well as word that version 4.2 is coming soon. DEFT version 5 might see release at the end of 2009. Also available are builds for a USB device install (bootable). All these DEFT versions also come with Windows forensics tool bags. Cool. I plan to do some downloading of these latest USB and beta versions next week. I’ll let you know what I “discover”.

Thanks for the memories. and I guess I had better make sure my current Helix ISO files are kept safe for the future.

Looking at the design and knowing how Alvis (and I) had been using it, I suspected the L-shaped design of the plug allowed it to swing downward and then when carelessly set on a lap, the ottoman, a table, etc. this could put pressure on the systemboard jack solder points and cause them to break. Take a look at what I mean below.

In most cases that plug wants to point directly down and makes a 90-degree connection into the laptop DC plug jack receptacle. Any pressure on the plug cord housing is transmitted directly to the plug jack as it is not fortified tightly/directly to the laptop casing body like some other systems I’ve seen (Dell).

I saw a guide once where a guy had hacked together a “strain-relief” connection with an unused modem jack plug/socket, cable, and some rubber bands. It was ugly but worked.

Unfortunately, the back of this model laptop only has the DC plug socket on one side and a VGA D-sub connection point on the other corner.

But wait….maybe I could make a low-profile “dummy cap” for it to which I can affix a clip of sorts to hook the AC cord wire into. That should keep the L-shaped AC/DC plug aligned safely so it doesn’t get jammed when resting on the desk or my lap and maybe apply pressure again that could re-break the solder joints.

I ran this thought across the D-man’s desk but he was having a hard time following.

So last weekend I did the hack and took pictures so everyone can see the MacGyver jury-rigging job that I did.

I got the pins-in-place model as I was thinking that the pins would help keep the jack aligned and attached more firmly. In hindsight I should have got the other one.

Once at home I got out the Dremel and drilled a vertical 90-degree hole in the portion of the connector just behind the "plate”. The hole was just large enough for a small plastic zip-fastener to fit through. I also ground-smooth the sharp edges created when I drilled out the hole to make sure the cord (or me) didn’t get cut by any burrs.

Once done I inspected the work.

The problem I saw was that when I drilled through it some of the pins were now very loose. I removed these with needle-nose pliers.

Then I wondered if maybe while making the cut, some metal fragments might cause a “short” between pins, thus sending a false signal to the VGA system. That probably wouldn’t be good.

So I ended up extracting them all to leave the connector “pin-less”.

I attached the connector on one end of the laptop.

I then plugged in the DC plug on one side.

I routed the cord horizontally across the back being sure to leave just a little bit of slack to keep tension off the jack itself.

Then I threaded the zip-tie through the hole and bound the cord snugly to the connector housing with it; trimming off the zip-tie excess when done.

Thoughts

It works great.

the L-shaped jack is now safely oriented to keep it from getting jammed when the laptop is on a flat surface.

I suppose I could use screws to more securely attach it to the laptop, but I decided against that. I do want it to “break-away” easily if the cord is tripped over or snagged.

I did lightly crimp the housing just a bit to allow a snugger fit on the VGA plug itself.

I probably should have mounted it securely in a vise when I did the drill-out to get a more accurate hole and placement, but it was close enough.

Sunday, February 08, 2009

Fortunately it has been concentrated in a few key areas: SKU’s for Windows 7 and more back-n-forth action with UAC than we say during this year’s Super Bowl.

How well does Windows 7 handle 512MB? - Ed Bott’s Microsoft Report. “Very well” apparently is the answer. I’m not surprised and I suppose some real low-end systems might be used to run Windows 7 (along with “netbooks”) but I wouldn’t want to have to use a system with anything less than 2GB RAM now. Call me spoiled but I like the extra headroom.

A closer look at the Windows 7 SKUs - Windows 7 Team Blog and Six of 7: Microsoft announces Windows 7 versions – Chron.com TechBlog. Details emerge from the W7 levels for sale. Do want Windows 7 Home Premium or Windows 7 Professional? A single DVD will contain all versions offered for Windows 7, so if you go cheap and regret it, you get instant upgrade satisfaction (with some extra greenbacks). As you crawl up the SKU food-chain, you keep all the features of the lower versions, but get more. Then if you are in a “specific market” there is Windows 7 Starter, Windows 7 Home Basic, and Windows 7 Enterprise. Then there is Windows 7 Ultimate which offers the whole kit-n-caboodle. Yep. Leave it to MS to make product selection still clear as mud.

Windows 7 DirectAccess – Features and Windows 7 DirectAccess – Experiences – 4sysops blog takes a look at this VPN-replacement feature for Windows 7 clients and Server 2008. It has lots of features and supports automatic, VPN’ish connections between the user’s system and the remote server with no end-user interaction once set up. However it does seem to have some high requirements to function on the server side. Looks to be pretty cool but I’m not seeing it as a replacement for traditional VPN setups anytime soon.

And then there was that whole UAC fumble and recovery…

Engineering Windows 7 : Update on UAC – Engineering Windows 7 Blog – Microsoft goes in depth on why W7 UAC is so much better than Vista UAC. Not only that, they feel malware will have an even harder time getting on a W7 system than a Vista system. And that people (sysadmins and security folks) just aren’t getting those facts correct. Key takeaway quotes were “One important thing to know is that UAC is not a security boundary. UAC helps people be more secure, but it is not a cure all. UAC helps most by being the prompt before software is installed.” and “Recapping the discussion so far, we know that the recent feedback does not represent a security vulnerability because malicious software would already need to be running on the system.” I know they are working hard at listening to test users, but they just weren’t also listening to the outcry from the security researchers and folks who have to clean up the messes users make on their systems, despite UAC.

List of Windows 7 (beta build 7000) auto-elevated binaries - Within Windows – R.Rivera then goes through the binaries in Windows 7 and identifies 68 selected binaries that could be potentially used (some more likely than others) to auto-elevate any code they are asked to execute on behalf on the application that has engaged them to do so.

With this feedback and a lot more we are going to deliver two changes to the Release Candidate that we’ll all see. First, the UAC control panel will run in a high integrity process, which requires elevation. That was already in the works before this discussion and doing this prevents all the mechanics around SendKeys and the like from working. Second, changing the level of the UAC will also prompt for confirmation

The first change was a bug fix and we actually have a couple of others similar to that—this is a beta still, even if many of us are running it full time. The second change is due directly to the feedback we’re seeing. This “inconsistency” in the model is exactly the path we’re taking. The way we‘re going to think about this that the UAC setting is something like a password, and to change your password you need to enter your old password.

The feedback is that UAC is special, because it can be used to disable silently future warnings if that change is not elevated and so to change the UAC setting an elevation will be required.

A lesser-know feature of Windows 7 is its native support to recognize and access virtual hard drive files. Now to be clear, this won’t be the same as actually virtually “running” any OS the virtual hard drive may have (a la Virtual PC 2007). It is more like mounting an “off-line” version of the virtual hard drive so you can access the files contained within.

In Windows 7 / Windows Server 2008 R2 VHD support is now part of the platform. This means that you do not need to enable Hyper-V to mount and manipulate virtual hard disks. You can mount virtual hard disks directly on your Windows 7 / Windows Server 2008 R2 system in two ways. The first is to use the Disk Management UI:

Open the Start menu

Right click on Computer and select Manage

Expand Storage and click on Disk Management

Click on the Action menu and select Attach VHD

Enter the Location and name of you virtual hard disk (there is a browse button you can use)

Click OK

And you are done - simple! To unmount the virtual hard disk you just need to right click on Disk entry for the virtual hard disk and select Detach VHD.

The other option is to use diskpart. To do this you will need to:

Open up an administrative command prompt.

Run diskpart

Type in SELECT VDISK FILE=insert your VHD file path and name here

Type in ATTACH VDISK

When you are done you can unmount the VHD using the DETACH VDISK command under diskpart.

Awesome work there Ben!

Though I personally think Microsoft should just go ahead and add it natively to the right-click shell context menu to instantly allow for right-click mounting/dismounting of the VHD’s. I think it will only be a short matter of time before someone is clever enough to do so via a registry hack like the method Robert McLaws came up with for handling WIM file mounting/dismounting.

Sample Analysis System - F-Secure Weblog – F-Secure is now offering a new way to submit malware samples (or suspected malware samples). Users can register or submit anonymously…though being anonymous has its limits. Registered users are able to access reports, track usage, and (it appears) retrieve reports on items they have turned in in the past. This might encourage dedicated contributors as well as help organize regular users’ data.

How Do They Make All That Malware? – Larry Seltzer at eWeek does a short post that outlines how malware writers bulk-create their naughty-naughties as well as how the A/V companies leverage web-based scanning services to bulk up on their own DAT signatures. It’s a constant arms race with many being caught and protected against, but like those little swimmers, it just takes one to make it through.

TimeLine Analysis – Windows Incident Response blog – One of the challenges in forensics work is trying to lay out a time-line for events. While one would think that with all the file-dating, file access dating, logging, and other excitement that Windows is constantly doing, it would end up in a simple open-n-shut case. Turns out that is much harder to do…at least do accurately and do well. Different applications and systems record time data in different ways and formats. It takes a multitude of tools and skill from the examiner to slowly peel back all the layers and lay out a solid scenario of events.

The Security Shoggoth: Strings and update – The Security Shoggoth blog – Light but useful examination on the use of Strings from Sysinternals. Specifically how some additional arguments on the command-line can pull either ASCII or UNICODE strings out of search parameters.

Browser Plugins, Add-Ons and Security Advisers – Hackademix blog. Giorgio Maone goes on an offensive defense of Firefox security when it comes to Add-ons and other things. Yes, clearly all these elements make Firefox great, but also open the browser to security issues if a malicious add-on is adopted. Fortunately, as Giorgio shares, there is a whole lot of cross checking going on in the community. As long as you are getting your Add-ons from trusted sources, you should be good.

OpenDNS to block Conficker - heise Security UK – This great DNS service on Monday will begin to block Conficker attempts to connect to potential control servers. Administrator alerts to the presence of the worm will be available and should help efforts to locate infected systems. The service is free to both businesses and home users, but will require registration to access the tracking and logging features. I use OpenDNS at home and have configured our router to use it as the DNS service. Never had any issues. It is an amazing service.

Breaking Update to post

Some tricks from Conficker's bag - SANS-ISC Handler’s Diary has some more information on the Conficker virus. Interesting findings: First that is checks to see the way it was executed Depending on what it finds, it acts accordingly. Secondly, it patches (in memory) the MS flaw that allows it to attack a system in the first place. This is to presumably prevent the system it is running on from being cross-attacked by other malware using the same exploit it is. It’s not an altruistic move as it isn’t a permanent patch. Finally (and this was new to me), it uses an Microsoft code element to delete all System Restore points for the system. This prevents responders/users from going back to a previous “pre-infection” recovery point. Mighty nasty!

Saturday, February 07, 2009

The Case of the Phantom Desktop Files – Mark’s Blog. Yep. Microsoft Sysinternals guru Mark Russinovich breaks down a new mystery revealed on his wife’s system. It’s good information and might be valuable from a forensics or malware fighting perspective. Turns out it is a PMIE(Private [browsing] Mode Internet Explorer) Integrity Level thing and as always, very fascinating.

Birth of a Security Feature: ClickJacking Defense – IEBlog continues it drumbeating celebration of IE8’s “ClickJacking” defenses. They’ve done the coding in their browser and now are out to convert the web developers to change their code to “activate” that protection. I’m not sure I fully understand it but something just seems a bit off. Maybe I’ve been reading NoScript (and clickjacking defender) Giorgio Maone’s hackademix.net blog responses to the whole thing too much and have become biased. To the IE team’s credit, at least they are trying.

Windows XP Your Way- Configuring Windows Explorer – Somehow at work the other day I was fast-finger clicking though a ton of windows on my desktop. One of which was Windows Explorer. Anyway, I ended up accidently setting the display sorting view of the items to show them all grouped alphabetically. It was big-time annoying and I had to Google this stupid solution to find the menu path needed to correct it back to my “detail” view preference.

Newsfox NEXT v1.0.5rc1 – IMHO simply the best RSS feed Add-on extension for Firefox there is hands down. Development has slowed but the developer continues to tweak it. I’m using it right now and it performs great and is stable on my systems. The RSS feed that describes this release doesn’t pull up the actual update post yet so I have copied it below.

This will become version 1.0.5 after bug fixes. This will not happen for months due to time constraints/scheduling. I expect that this version can be used without any difficulties.

The usual disclaimers apply: this is a beta release so use it with caution on a backup of your Newsfox folder.

The new features (where to look for bugs to fix):

Relative references allowed for NewsFox folderThe folder for NewsFox has been hard coded which creates an annoyance, but not lack of functionality, when using portable Firefox. The annoyance being that the new directory needs to be chosen each time, and in fact if the newsfox directory is not carefully chosen so that it doesn't exist as a non-NewsFox folder on other machines, there could be problems running NewsFox. This version allows relative filenames such as ../../newsfox (. is the current directory and .. is the parent directory) and uses a default of ./ where .=the newsfox folder contained in the profile folder. Hence if you use ./, there should be no problems with portable Firefox. Existing users may wish to change their NewsFox folder to use a relative reference, either in Options > General tab > NewsFox directory or by setting newsfox.global.directory equal to './'. Equivalently, the about:config preference newsfox.global.directory can be reset(removed), which will cause the default to be used.

Expanded search option dialog if search is not over all feeds (bug#20506) It is now easier to set a search over a collection of feeds that is not a regular group. See the bug for more information.

Blank source or XHTML in sourceNow if a source is set in a feed and it has a blank name, NewsFox uses .... Also if XHTML is in the source name, NewsFox processes it correctly.

Sound for new articles (bug#20218) For sound notification set newsfox.global.notifyUponNewSound equal to true. If the file NFsound.wav exists in the profile directory, it will be played when there are new articles. If the file NFsound.wav does not exist, the system beep will be played.

R Pruitt (wa84it AT gmail.com)

Official Gmail Blog: New in Labs: Multiple Inboxes – This seems a bit inaccurate. As I understand it, you can still only have one “inbox” in Gmail. You can’t display other account inbox’s in your gMail account view. What you can do is set up additional “viewing panes” that display items from your primary “inbox” that meet certain custom filter/label settings you configure. Still, it’s pretty cool for power gMail users. For more related links and tips:

Mozilla Add-ons Blog - How to develop a Firefox extension – An updated walkthrough on the basic stages needed to develop a Firefox extension. There are other great (and more technical) how-to’s on this subject already on the Net, but this might be one of the best places to start. Assumes you have a fair bit of coding knowledge as well as familiarity on the Firefox application structure for folders/files. I’d like to write a mini-add-on that adds a button on the toolbar that lets you instantly “back-up” your bookmark to a JSON file with a single click instead of having to browse through the menu-bar dropdowns and bookmarks manager.

My brain is still swimming in whole disk encryption issues from the past week at work.

Found these links particularly insightful or amusing; maybe both.

Cracking budget encryption - heise Security UK – Really great and extended article that show the process by which researchers analyzed and broke the on-board encryption methods used by a particular USB hard-drive system. It is great analysis work and might be useful from a forensics perspective as well.

Hard Drive Passwords Easily Defeated; the Truth about Data Protection - Computer Technology Review: Data Storage and Network Solutions. Great (though a bit old) whitepaper post on different strategies and techniques used in drive encryption. Software-based whole-disk encryption is the strongest solution currently available. Using the firmware-based HDD locking might seem like a fast and easy solution, but law-enforcement and data-recovery specialists can bypass this with a bit of effort.

What happens when you overwrite data? - SANS Computer Forensics, Investigation, and Response. Update by Dr. Craig Wright on the mechanics when data is overwritten and recovery is attempted. Nice images and very readable. Continues to expand his Overwriting Hard Drive Data post earlier presented by Dr. Wright at the same blog.

Having a cool security sticker/label on you systems that lets everyone know your system is encrypted offers no security if the system is a laptop and “lifted” while it is running and not locked down.

Just because the label says it is encrypted it in no way guarantees that the drive itself has actually been encrypted. Security auditors still have to log and verify by accessing the system that the encryption solution has been correctly applied to the drive(s). If a technician images the system and forgets to apply the encryption solution (if not automatically deployed via system policies), the sticker provides a false and dangerous sense of security completion and protection for both management and the end-user.

While a properly encrypted system does protect and guard the data on the hard-drive itself, it

Doesn’t mean that the data can’t be easily lifted by malware/trojan running on the system when the system is live and operating in an “unencrypted” mode,

Doesn’t mean that the system no longer has “theft value” as someone could remove and discard the drive, drop in a replacement and sell the sucker at a pawn shop or eBay,

Doesn’t mean that the data is protected enterprise-wide if the data is accessed/replicated across various desktop/laptop systems in the organization and any one of those systems escapes the disk-encryption process,

Doesn’t help anything if people keep their access password or passphrase taped under their keyboard, to their monitor, or cpu base.

I’m fully supportive and highly value properly applied whole-disk encryption solutions. However, it must be seen as just one more hardened layer of protection among many in a properly configured and applied organizational computer security structure.

These are freeware utilities and stuff that might be worth looking into that I found this week.

Process Explorer – version 11.33. One of the ultimate Microsoft Sysinternals tools. “This update fixes a bug where the history graph tooltips could display the wrong data point and reduces the memory footprint of the structures that store graph history.”

Autoruns for Windows – version 9.33. The other ultimate Microsoft Sysinternals tool. “This Autoruns update fixes a couple of minor bugs and adds a new Windows 7 location.”

WinPatrol v16 Monitors Changes to UAC Settings – If you are a Windows fan and have been anywhere alive over the past week, you probably have hear of some Win7 UAC design “feature” controversy. Microsoft heard their customers and relented. However, if you use WinPatrol 2008 the upcoming version 16 will provide monitor and notification of changes to UAC settings. That’s a nice layer to monitor, despite what Microsoft says.

AutoRun Eater - (freeware) – We’ve covered AutoRun issues and defenses here before. This neat security utility provides a different take. It runs in the system tray full-time and monitors execution of autorun files when devices are inserted or executed. Upon discovery it first performs an analysis. If a suspicious pattern is found, it blocks execution, tosses up a dialog window, and presents the suspicious code. Then it allows the user to block or ignore execution. Amazingly clever. Certainly not a cure-all, but it might very well provide a first and easy to use line of defense for non-technical users as well as experienced system administrators who don’t want to use some of the tougher/lock-down methods against blocking all autorun executions. Check out the Frequently Asked Questions page for details. Spotted via Donna’s SecurityFlash blog.

Free Task Manager - (freeware) – I know it is kinda sacrilegious to mention any other Windows Task Manager in the same post as Process Explorer (my default manager), but this one might provide some features for less-technical users. It doesn’t really “replace” the default Task Manager but provides some extended features such as Disk I/O graphing, port monitoring by application, and a locked-file identifier. I have and use much more focused and specialized tools for all of those tasks, but for someone looking to move up from the standard, but doesn’t need the power-hitting utilities I use for those things, this might be worth looking into.

MyLastSearch v1.35 - (freeware) – NirSoft app that “…scans the cache and history files of your Web browser, and locate all search queries that you made with the most popular search engines (Google, Yahoo and MSN). The search queries that you made are displayed in a table.” This version now lets you filter results by Web browser (in Advanced Options) .

IECacheView v1.25 - (freeware) – NirSoft app that “…that reads the cache folder of Internet Explorer, and displays the list of all files currently stored in the cache. For each cache file, the following information is displayed: Filename, Content Type, URL, Last Accessed Time, Last Modified Time, Expiration Time, Number Of Hits, File Size, Folder Name, and full path of the cache filename.” This version now has an option to filter cache results by displaying only URLs which contain the specified filter strings. Cool.

highlighter - (freeware) – Neat log file viewer and analysis tool spotted via SANS ISC Handler’s Diary post this week and offered by Mandiant. I downloaded the msi installer and in a moment had it up and running. Besides being another tool to read log files, you can highlight words to focus on, and remove “good word patterns” to narrow down your view. It also provides a neat GUI view in a dynamic image format to show content and structure of the file, along with a histogram view to show patterns in the file. It sounds like a lot but the utility is light, fast and easy to grasp. It also comes with a nice help file. Check it out. If it’s from Mandiant, it must be good!

Threat Detector - Cyber Patrol – Web-based application that will scan a system (Internet Explorer only) and look for usage patterns for dangerous, malicious, or “bad” sites. Might not help if the history/cache/browsing history has been nuked or if PrivateBrowsing was used. However, for parents who have systems where the family uses IE exclusively, it might be worth doing a quick scan to see what comes up. Just a tool, use with a grain of salt.

GBridge - (freeware) - “Gbridge is a free software that lets you sync folders, share files, chat and VNC securely and easily. It extends Google's gtalk service to a collaboration VPN (Virtual Private Network) that connects your computers and your close friends' computers directly and securely.” I’m a big fan of ShowMyPC for free remote desktop support, but setting up a remote-to-my-pc connection is a $ feature and getting one set up and running with the open-source tools can be challenging. MakeUseOf has a great how To: Extend Google Talk Into A Remote Access Tool With GBridge that shows you how to really make this work.

Wireshark: Wireshark 1.0.6 Released – Open Source network sniffing tool had various bug and security concerns fixed in this update. In both full install and portable versions.

Credits

Why this? It is the simple blog of a Last Exile fan and is intended to express the enjoyment we derive from studio Gonzo's production. Although we closely relate with those characters, we aren't them in real life. We just want to keep the memory of these incredible young kids alive. So go buy Gonzo's Last Exile DVD's!